1 Scope
This Policy applies to all users of the Medichat platform, including patients, visitors, and healthcare providers, and governs all personal data and sensitive personal data processed through the Platform.
2 Data Controller
Medichat is the Data Controller for all personal data processed on the Platform.
Legal Entity: Medichat Technologies
Address: Hilton building, Book foundation junction ifite awka
Email: [email protected]
3 Information We Collect
We collect only data that is necessary, relevant, and lawful.
Personal Data
- • Name, email, phone number
- • Date of birth, gender
- • Identification details
Health Data
- • Medical history & symptoms
- • Consultation records
- • Prescriptions & care plans
- • Uploaded medical files
Technical Data
- • IP address & device info
- • Usage logs & metadata
- • Voice & video streams (during active calls, via Agora RTC)
- • Device token (for push notifications via Firebase)
4 Legal Grounds for Processing
Personal data is processed only where a lawful basis exists, including: explicit user consent (mandatory for health data), medical necessity for diagnosis, care, or treatment, performance of a contract (service delivery), compliance with legal and regulatory obligations, and legitimate business interests limited strictly to non‑medical operations.
Health data is never processed without explicit, informed, and recorded consent.
5 How We Use Data
We use personal data to facilitate and document telemedicine consultations, maintain accurate medical records, match users with licensed healthcare providers, process payments and appointments, improve Platform safety and performance, prevent fraud and misuse, and comply with applicable laws.
6 Data Sharing and Disclosure
Data may be shared strictly on a need‑to‑know basis with licensed healthcare providers involved in a user's care, payment processors and financial service providers, cloud hosting and security vendors, and regulatory or law‑enforcement authorities where legally required. All third parties are bound by contractual confidentiality and NDPR‑compliant data protection obligations.
smart_toy AI-Powered Symptom Analysis — Third-Party Data Processor
Medichat uses an AI language model (Grok AI, provided by xAI) to analyze symptom information entered by users during chat sessions. This analysis is used solely to assess risk levels and determine whether escalation to a licensed healthcare provider is appropriate.
Symptom data submitted to the AI is processed under strict confidentiality obligations. The AI does not provide medical diagnoses. All clinical decisions remain the sole responsibility of licensed healthcare providers on the Platform.
Users are informed of this processing at the point of accessing the AI feature and must acknowledge it before proceeding. By using the AI symptom chat, you explicitly consent to this processing.
videocam Real-Time Video & Audio Calls — Third-Party Infrastructure Provider
Medichat uses Agora RTC (provided by Agora.io, Inc.) to power real-time audio and video consultations between patients and healthcare providers. During an active call, your audio and video streams are routed through Agora's global media servers solely for the purpose of transmitting the call in real time.
Agora does not store recordings of your calls on our behalf. Agora processes this data as a data processor acting under our instructions, and is bound by confidentiality and data-protection obligations consistent with applicable law.
Voice and video data transmitted via Agora is used exclusively for call delivery and is not used for advertising, profiling, or any purpose beyond the immediate consultation session.
Agora.io Privacy Policy: agora.io/en/privacy-policy
7 Cross‑Border Data Transfers
Where personal data is transferred outside Nigeria (including for AI symptom processing), adequate legal, technical, and organizational safeguards are implemented. Transfers are limited to jurisdictions with acceptable data‑protection standards, and users are informed and consent is obtained where required by law.
8 Data Security
We implement industry‑appropriate administrative, technical, and physical safeguards including encryption of data in transit and at rest, role‑based and least‑privilege access controls, secure authentication mechanisms, and continuous monitoring and regular security audits.
9 Data Retention
10 User Rights
Users have the right to access their personal data, request correction of inaccurate data, withdraw consent (subject to medical and legal obligations), request deletion where lawful, and object to certain non‑medical processing activities.
mail Submit a Data Rights Request11 Data Breach Notification
In the event of a personal data breach, relevant regulatory authorities will be notified where required by law, affected users will be informed without undue delay, and remedial actions will be taken to prevent recurrence.
12 Children's Data
Medichat does not permit users under the age of 13 to create accounts or use the Platform. Registration requires entry of a date of birth, and account creation is blocked for anyone identified as under 13 years of age at the point of signup.
Users aged 13 to 17 may only access the Platform with verified parental or legal-guardian consent, in accordance with Nigerian law and the NDPA 2023. Medichat does not knowingly collect or retain personal data from users under 13. If we become aware that such data has been collected, it will be deleted without undue delay.
13 Cookies and Website Tracking
The Medichat website does not currently use analytics tools, advertising cookies, or third-party tracking scripts. Basic session and preference data may be stored locally in your browser to support navigation and display settings (such as dark mode). No personal data is sent to third parties via the website for marketing or tracking purposes.
If analytics or tracking tools are introduced in future, this Policy will be updated and users will be notified in advance.
14 Policy Updates
This Policy may be updated periodically to reflect legal, regulatory, or operational changes. Material changes will be communicated through the Platform.